The EU's landmark AI law may have a structural flaw hiding in plain sight.
The EU Artificial Intelligence Act sets up a compliance regime built on three pillars: upfront conformity checks, ongoing market monitoring, and mandatory re-assessment when a system undergoes a "substantial modification." Researchers publishing on arXiv argue all three pillars assume regulators can answer a question the law never actually resolves — whether an AI system updated after deployment is legally the same system as the one that was certified. The paper introduces something called the function+ framework, which ties an AI system's identity to its intended function and a set of "trustworthiness" criteria, and proposes it as both an auditing lens and a synchronic identity test — meaning a tool for deciding when two systems at the same moment in time count as the same for regulatory purposes.
The gap matters because AI systems get updated constantly — weights get retrained, prompts get revised, deployment contexts shift. Without a clear identity criterion baked into the law, regulators and vendors are left guessing whether a change triggers re-assessment or not. That ambiguity is a compliance loophole that could be driven through with ease, and the paper warns that the AIA currently offloads the hard calls to sector-specific or harmonization instruments that don't yet exist.
The researchers stop short of calling the law unworkable, instead offering two concrete fixes: more precise reporting of a system's intended purpose, and standardized trustworthiness reporting that allows comparisons across time and deployments. Good luck getting that standardized before the first wave of enforcement.